In a new wave of crypto theft, scammers are employing Telegram verification bots to inject malware into users’ systems, ultimately stealing crypto from compromised wallets. According to blockchain security firm Scam Sniffer, this is the first time such a scam has used a combination of fake social media accounts, fake Telegram channels, and malicious Telegram bots.
How the Scam Works
The scam begins with fraudsters creating fake accounts on X (formerly Twitter) that impersonate popular cryptocurrency influencers. These fake accounts invite users to join Telegram groups, promising exclusive investment tips or crypto-related insights. Once users join these Telegram groups, they are urged to verify their identity through a bot called “OfficiaISafeguardBot.”
This verification process is a trick. The bot creates a sense of urgency by limiting the time available for verification, pressuring users to act quickly. Once the user interacts with the bot, it injects malicious PowerShell code into their system, which subsequently downloads malware that compromises the user’s crypto wallet and private keys.
The Impact of Malicious Bots
The malware from these fake Telegram verification bots has led to numerous cases of crypto theft, with scammers gaining access to private keys and draining wallets. Scam Sniffer noted that the infrastructure behind this malware is evolving rapidly and becoming more sophisticated. In many cases, these scams have grown into a “scam-as-a-service” model, with scammers selling their malware tools to others looking to exploit unsuspecting victims.
While similar scams have used fake Telegram channels in the past, this is the first known instance where a specific combination of fake X accounts, Telegram groups, and malicious bots has been used to target crypto users.
A Surge in Crypto Impersonation Scams
Scam Sniffer has reported an increase in impersonation scams on X, with over 300 fake accounts impersonating well-known crypto influencers in just the first ten days of December. This is a significant rise compared to the 160 fake accounts observed in November. Victims of these scams have already lost millions of dollars, with at least two individuals losing over $3 million by clicking on malicious links or signing fraudulent transactions.
Additional Threats to Web3 Workers
Cado Security Labs and Cyvers, a Web3 security platform, have also warned of phishing campaigns targeting Web3 workers. These scams involve fake meeting apps designed to inject malware and steal credentials for websites, apps, and crypto wallets. Experts predict that phishing attacks could surge in December as hackers take advantage of the increase in online transactions during the holiday season.